permit (Security Policies)
Syntax
permit {
advanced-connection-tracking;
application-services (Security Policies) {
application-firewall {
rule-set rule-set-name;
}
application-traffic-control {
rule-set rule-set-name;
}
gprs-gtp-profile profile-name;
gprs-sctp-profile profile-name;
idp;
redirect-wx | reverse-redirect-wx;
ssl-proxy {
profile-name profile-name;
}
uac-policy {
captive-portal captive-portal;
}
utm-policy policy-name;
}
destination-address {
drop-translated;
drop-untranslated;
}
firewall-authentication {
pass-through {
access-profile profile-name;
client-match user-or-group-name;
ssl-termination-profile profile-name;
web-redirect;
web-redirect-to-https;
}
user-firewall {
access-profile profile-name;
domain domain-name
ssl-termination-profile profile-name;
}
web-authentication {
client-match user-or-group-name;
}
}
services-offload;
tcp-options {
sequence-check-required;
syn-check-required;
}
tunnel {
ipsec-group-vpn group-vpn;
ipsec-vpn vpn-name;
pair-policy pair-policy;
}
}
Hierarchy Level
[edit security policies from-zone zone-name to-zone zone-name policy policy-name then]
Description
Specify the policy action to perform when packets match the defined criteria.
Options
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 8.5. Support for the tcp-options added in Junos OS Release 10.4. Support for the services-offload option added in Junos OS Release 11.4. Support
for the ssl-termination-profile and web-redirect-to-https options added in Junos OS Release 12.1X44-D10. Support for the user-firewall option added in Junos OS Release 12.1X45-D10.
Support for the advanced-connection-tracking option is
added in Junos OS Release 20.2R1.
You can configure the advanced-connection-tracking option under [edit security policies from-zone zone-name to-zone zone-name policy policy-name then
permit] to mandate that traffic matching given policy do a lookup
in the to-zone’s connection track mapping
table using the new session’s key information. If there is no
match, a new connection is not created.